Howto::Firewall

From Computer Science Wiki
Revision as of 18:00, 20 November 2020 by Carnold (talk | contribs) (Protected "Howto::Firewall" ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite)))
Jump to navigation Jump to search

Overview

Using a firewall to limit services to VT Campus is a quick and easy way to protect your services and server from getting hacked. The service can still be accessible from outside Campus by using VT's VPN service. These instructions show you how to protect a service running on TCP port 3306, you can change the port number to protect other services.

There are different firewall programs available on different Operating Systems. Make sure you follow the instructions for the specific firewall running on your operating system.

firewalld

As of RedHat/CentOS 7, firewalld is the default firewall program. firewalld uses "zones" to separate traffic. We will create a new "campus" zone that you can use to limit services to just Campus/VPN.

Create new zone

  • sudo firewall-cmd --new-zone=campus --permanent
  • sudo firewall-cmd --reload

Set the source ranges

  • sudo firewall-cmd --zone=campus --add-source=128.173.0.0/16 --permanent
  • sudo firewall-cmd --zone=campus --add-source=198.82.0.0/16 --permanent
  • sudo firewall-cmd --zone=campus --add-source=172.16.0.0/12 --permanent
  • sudo firewall-cmd --zone=campus --add-source=45.3.64.0/18 --permanent
  • sudo firewall-cmd --zone=campus --add-source=2001:468:c80::/48 --permanent
  • sudo firewall-cmd --zone=campus --add-source=2607:b400::/40 --permanent
  • Check https://4help.vt.edu/sp?id=kb_article&sys_id=16eadd6f0fe6a640ee5a0bcce1050e77 for the most up to date source IP list

Add the service(s)

  • sudo firewall-cmd --zone=campus --add-port=3306/tcp --permanent
  • You add additional ports as needed, just change the port number

Check your rules

  • sudo firewall-cmd --zone=campus --list-all
Retrieved from "http://wiki.cs.vt.edu/index.php?title=Howto::Firewall&oldid=4109"